can files be stored in vault?
8,414 views
Skip to first unread message
socc...@gmail.com
Aug 13, 2015, 1:29:44 PM8/13/15
to Vault
Hi,
I have a requirement to store an ssh private key in vault. Is there a way to store files in vault or is it for name/value pairs only?
Thanks!
Michael Fischer
Aug 13, 2015, 1:47:40 PM8/13/15
to vault...@googlegroups.com
How large a file are you considering? You could try storing the file as a large value. That's what we do for RSA keys.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7e68f390-5efe-4253-8452-6fe08d328809%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
socc...@gmail.com
Aug 13, 2015, 2:20:30 PM8/13/15
to Vault
Hi,
Thanks for your help. I think the problem is that we have to use the -tls-skip-verify option.
For example:
vault write secret/password value=@data.txt -tls-skip-verify
Throws the error:
Error loading data: Invalid key/value pair '-tls-skip-verify': format must be key=value
while other commands like
vault status -tls-skip-verify
do work. I think there is a bug in fact you can't have the value= syntax with the -tls-skip-verify option.
Thanks Again!
Clay Bowen
Aug 13, 2015, 3:20:43 PM8/13/15
to Vault
The flag should be right after the command.
vault write -skip-tls-verify secret/password value=@data.txt [<other key>=<other value>] ...
should work (but I haven't tested).
Thanks,
Thanks,
Clay
socc...@gmail.com
Aug 13, 2015, 3:37:40 PM8/13/15
to Vault
Hi,
You are rock star for helping. That was the answer when using other options -tls-skip-verify must always come first.
Trevor Grayson
Jan 16, 2016, 2:36:57 PM1/16/16
to Vault
Are you aware of any file size constraints? Are 1M, 10M, 100M+ file sizes performant in vault? Not advised?
Jeff Mitchell
Jan 16, 2016, 4:35:10 PM1/16/16
to vault...@googlegroups.com
Hi Trevor,
Size constraints aren't imposed by Vault, but they may be imposed by
the physical backend you're using. For instance, I believe Consul
limits keys to 512KB, and Vault does impose some additional overhead
to the input key size for serialization and encryption.
Generally, if your values are approaching that size, a better approach
is to either round-trip your data through transit and store the
encrypted data in an appropriate data store; or, use an encryption
data key issued from the transit backend to perform
encryption/decryption on the local machine, and then store the
encrypted value in an appropriate data store. This splits the problem
of storage and secret key management and avoids scalability
challenges.
--Jeff
> https://groups.google.com/d/msgid/vault-tool/e8e1ed87-b89a-4b22-bf06-09ccf4ed1e6b%40googlegroups.com.
Size constraints aren't imposed by Vault, but they may be imposed by
the physical backend you're using. For instance, I believe Consul
limits keys to 512KB, and Vault does impose some additional overhead
to the input key size for serialization and encryption.
Generally, if your values are approaching that size, a better approach
is to either round-trip your data through transit and store the
encrypted data in an appropriate data store; or, use an encryption
data key issued from the transit backend to perform
encryption/decryption on the local machine, and then store the
encrypted value in an appropriate data store. This splits the problem
of storage and secret key management and avoids scalability
challenges.
--Jeff
Trevor Grayson
Jan 17, 2016, 6:03:17 PM1/17/16
to vault...@googlegroups.com
So avoid large documents in vault. Check! Thanks Jeff. Great response.
You received this message because you are subscribed to a topic in the Google Groups "Vault" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vault-tool/RB4ks67RkaQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CAORe8GEzk8b7LLNNXz6Srhe13wKVGKTLnAF4Tmo77pYMF5xiVg%40mail.gmail.com.
Clay Bowen
Jan 18, 2016, 11:18:30 AM1/18/16
to Vault, tre...@trevorgrayson.com
I allow storing files in Vault, but only to ~200kb in size. I work with a lot of developers that store .POM files, ssh private keys, small executables that implement encryption algorithms, lists of values, etc. I use base64 to encode the file contents to a string and store that as the value. On retrieval I decode the string to the original values and put it back into the file name in the local directory (I don't allow overwriting, though).
Thanks,
Clay
mar...@beamartyr.net
Jan 19, 2016, 6:01:47 AM1/19/16
to Vault
For key-like files (my use-case is code-signing keypairs), I usually encourage my users to store the files on our corporate file server with a strong passphrase stored in vault, both for maximum compatibility with 3rd party tools (keystore, signtool, etc) and to eliminate the "false sense of security" users might feel when they store the file encrypted in vault, and then fetch it, save it to their PC (to do anything useful with it), and possibly forget to delete it from their workstation.
Issac
Reply all
Reply to author
Forward
0 new messages